Customers and journalists examine a Tesla Model S sedan at an event in Beijing in April 2014.

At Def Con in Las Vegas, "How to Hack a Tesla Model S" and "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars" will be well-attended in the wake of last month's well-publicized cyberattack on a moving Jeep Cherokee and a subsequent, non-sanctioned hack of General Motors' infotainment system.

Charlie Miller, left, and Chris Valasek, are displayed on the navigation screen of a Jeep Cherokee, which the duo successfully hacked, in Ladue, Mo., in July. The breach showed just how vulnerable the new breeds of web-connected vehicles can be, and the challenges that manufacturers face in defending against attacks common in other technology fields.

This product image provided by Fiat Chrysler Automobiles shows the Uconnect 8.4 inch infotainment system on a 2014 Jeep Cherokee Limited. FCA on Wednesday, said that it has a software fix that will prevent future hacking into the Jeep Cherokee and other vehicles. Owners of some 2013 and 2014 model year vehicles with 8.4-inch touchscreen infotainment systems can download the software from FCA's UConnect Web site and install it on their vehicles.

Motorists guide their vehicles down Interstate 70 through heavy traffic and light rain in Evergreen, Colo. Fiat Chrysler on Wednesday said that it has a software fix that will prevent future hacking into the Jeep Cherokee and other vehicles.

As Def Con rolls into Las Vegas today, it is drawing the usual assortment of computer hackers, information technologists and government workers, all seeking the most cutting-edge tactics in elevating – and infiltrating – cybersecurity.

But two sessions at the annual hacker convention figure to pique the interest of a different crowd: car companies.

“How to Hack a Tesla Model S” and “Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars” will be well-attendedin the wake of last month’s well-publicized cyberattack on a moving Jeep Cherokee and a subsequent, non-sanctioned hack of General Motors’ infotainment system.

In July, a pair of well-intentioned hackers took control of the Jeep as a Wired magazine reporter drove the vehicle 70 mph, 10 miles away. The hackers ran the vehicle’s air conditioning, radio, windshield wipers, brakes and steering – all via laptop, by infiltrating the vehicle’s Internet-connected infotainment system.

In response, on July 16, Fiat Chrysler posted an urgent security patch on its website, and recalled 1.4 million of its 2013 to 2015 model year vehicles to install the protective software. And, this week, the National Highway Traffic Safety Administration launched an investigation of Harman Kardon, maker of the Jeep UConnect system and similar systems for other automakers.

For the auto industry, the hack, the recall and NHTSA’s investigation offer a glimpse of a potential future for the so-called connected car.

LINKED UP, WIDE OPEN

One part of that future is already here.

“Cars are computers now,” said Mark Rosekind, NHTSA’s administrator, during a news conference following the incidents. “They have been for a while.”

A lot of cars already are equipped with wireless connectivity, whether its Bluetooth that enables the car to communicate with a smartphone, or Wi-Fi, which connects mobile communication devices with the Internet, and the trend is accelerating. That technology figures to expand. By 2022, more than 82 million cars globally will be connected to the Web – triple the number today – according to the international research firm IHS Automotive.

But the technologies that let cars hook up with phones and tablets also make them vulnerable.

Vehicles are “a collection of computers that are interfacing,” said Matt Clemens, a senior engineer with Arxan, a cybersecurity company that specializes in preventing reverse engineering and tampering of software that operates everything from military equipment to cars.

“What will be very important is the ability for newer vehicles to have their software securely and safely updated remotely, so you don’t have to go through what Jeep is going through, which is a huge recall which is costing them a lot of money.”

Concern over the Jeep hack was compounded by a cyberattack of GM’s OnStar infotainment system a week later, which “just highlights the number of points of entry” for hackers, Rosekind said.

So far, consumer advocates say public safety is not at widespread risk. But the cybersecurity of connected cars is raising concerns among people who make and drive vehicles.

“For several years now, car companies have been adding software and computer and Internet capabilities to their automobiles, but they may not have been putting the same level of care into the security,” said Kurt Opsahl, deputy executive director of the Electronic Frontier Foundation, a nonprofit civil rights group in San Francisco that represents the security research community.

“Cars are really just an example of issues arising from the Internet of Things, where more and more objects are being connected,” Opsahl added.

BUG BOUNTIES

Many of the EFF’s clients are so-called red team analysts like the Jeep hackers – teams of IT specialists who pretend to be adversarial when they attempt to hack companies’ computer systems in an effort to expose, and hopefully repair, flaws before they become a bigger problem.

“It’s often more effective to have a group outside of the organization attempt to defeat your security because they will be most similar to an actual malicious attacker,” Opsahl said.

Technology companies, including Google, have long offered these “bug bounties,” which reward hackers with thousands of dollars to find vulnerabilities. But with automakers increasingly morphing into technology companies themselves, they, too, are beginning to offer them.

Tesla, the Palo Alto-based maker of electric vehicles, encourages people outside the company to attempt to find vulnerabilities in its systems, said spokeswoman Alexis Georgeson.

While Tesla does not provide vehicles for its bug bounties, or disclose how much it might pay, the company’s website details its security vulnerability reporting policy.

Among other things, Tesla offers a dedicated email address through which people can report “legitimate” flaws, offering the assurance that it will not take legal action against the reporting party as long as that person follows certain guidelines.

The site even has a Tesla Security Research Hall of Fame that acknowledges their efforts by name; 24 people are listed.

Tesla has been displaying a Model S at Def Con for the past two years and will again this weekend, Georgeson said.

General Motors, which is advertising its new Chevrolet lineup by flaunting its 4G Wi-Fi capability, found its Internet capability exploited last week, following a hacker’s report that he could access its OnStar RemoteLink app to locate, unlock and remotely start GM vehicles.

GM says it has since fixed the vulnerability, but the incident highlights the ongoing and ever-evolving nature of automotive cybersecurity.

Despite its participation in collaborative computer programming conferences known as hackathons and its status as the first automaker to appoint a chief product cybersecurity officer in September 2014, General Motors was still susceptible to a hack, as are all automakers building Internet-enabled vehicles.

In its effort to improve on that front, GM is similar to many car companies in that it is taking a multidisciplinary approach, working with security experts inside and outside of the company and with the industry as a whole, said spokeswoman Rebecca White.

The company uses a global team that works “with researchers, security solution providers, educational institutions, and aerospace and defense organizations to leverage their expertise to minimize the risk of unauthorized access to vehicles and customer data,” she said.

Ford Motor Co., which uses a different communications and entertainment architecture than Fiat Chrysler and General Motors, “invests in security solutions that are built into the product from the outset,” said company spokesman Alan Hall.

“Our security team has developed hardware and software safeguards, as well as specific processes to help mitigate remote access risks in all our vehicles, whether they feature embedded cellular connections or not,” he said.

Recognizing that vehicle infotainment systems are the most vulnerable to attack, BMW uses something called transport encryption to protect data as it travels over a wireless communication network. The company also segregates infotainment functions from safety features, according to BMW spokesman Dave Buchko.

The company routinely performs security penetration tests both in-house and with independent institutes.

DRIVING FORWARD

If cars are vulnerable now, when their internal technologies can hook up with phones, tablets and laptops, what happens when cars can hook up with one another?

“As you open up any kind of vehicle-to-vehicle content, that makes it eminently more vulnerable because you have to be able to talk to the other car, which opens a channel for someone else to act like another car and tell you erroneous data,” said John Mendel, executive vice president of American Honda in Torrance.

It is a “huge issue,” Mendel added. “It’s as big a safety issue as any other cybersecurity issue and an increasingly large threat for the auto industry.”

It’s possible the industry will fight the problem by taking it public.

In their press conference following the GM incident, NHTSA officials called on the auto industry to work with the federal government to address the threat of automotive cyberattacks.

An industry trade group, the Alliance of Auto Manufacturers, already is working to establish an information sharing and analysis center for automakers to determine digital threats and vulnerabilities. The center is expected to be operational later this year.

Late last month, U.S. Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced the Security and Privacy in Your Car Act to set federal standards to secure cars while also protecting drivers’ privacy.

Rosekind, of NHTSA, suggested laws of some sort will be needed to protect consumers from auto-related hacks.

“Whether it happens again tomorrow or a month from now or a year from now, it doesn’t matter. These are areas we have to address.

“Everybody’s been saying ‘cyber security,’” he added. “Now, you have to step up.”

Join the Conversation

We invite you to use our commenting platform to engage in insightful conversations about issues in our community. Although we do not pre-screen comments, we reserve the right at all times to remove any information or materials that are unlawful, threatening, abusive, libelous, defamatory, obscene, vulgar, pornographic, profane, indecent or otherwise objectionable to us, and to disclose any information necessary to satisfy the law, regulation, or government request. We might permanently block any user who abuses these conditions.

If you see comments that you find offensive, please use the “Flag as Inappropriate” feature by hovering over the right side of the post, and pulling down on the arrow that appears. Or, contact our editors by emailing moderator@scng.com.